Bug 407901 - dnsmasq denied access to /var/lib/misc/dnsmasq.leases
dnsmasq denied access to /var/lib/misc/dnsmasq.leases
Product: Fedora
Classification: Fedora
Component: dnsmasq (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Jima
Fedora Extras Quality Assurance
: 468279 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2007-12-02 10:54 EST by Aaron Kaplan
Modified: 2009-05-29 09:04 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-24 14:27:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Aaron Kaplan 2007-12-02 10:54:40 EST
When started, dnsmasq reports:

  dnsmasq: cannot open or create lease file /var/lib/misc/dnsmasq.leases:
Permission denied

The selinux log shows:

  avc: denied { search } for comm=dnsmasq dev=sda2 name=misc pid=3809
scontext=system_u:system_r:dnsmasq_t:s0 tclass=dir

I have worked around this by commenting out the recently-added line

  /var/lib/misc(/.*)?    system_u:object_r:system_crond_var_lib_t:s0

in /etc/selinux/targeted/contexts/files/file_contexts .
Comment 1 Daniel Walsh 2007-12-02 20:39:18 EST
dnsmasq should not be using this directory.  Please create a directory for use
by dnsmasq and I will set the labeling properly.  
Comment 2 Jima 2007-12-03 09:35:49 EST
/var/lib/dnsmasq/ sound sane?
Comment 3 Jima 2007-12-13 08:46:53 EST
Daniel: I've made the necessary changes to dnsmasq in Rawhide; if you could work
your selinux magic to make access to /var/lib/dnsmasq/ legal, I'd appreciate it.

Comment 4 Peter Bieringer 2008-01-24 08:51:28 EST

@Aaron: you should store local definitions to

@Jima: Aaron and your hints are working, but I see one additional issue: one has
to change the default location to the mentioned one or change at least the
default configuration file.

Comment 5 Jima 2008-01-24 14:11:24 EST
(In reply to comment #4)
> @Jima: Aaron and your hints are working, but I see one additional issue: one has
> to change the default location to the mentioned one or change at least the
> default configuration file.

 Sounds like someone hasn't seen the disgusting hackery I had to put in
Rawhide's dnsmasq.
 The %post for the Rawhide dnsmasq changes /var/lib/misc to /var/lib/dnsmasq in
/etc/dnsmasq.conf.  It's not great, but it should keep most people working, and
make dnsmasq selinux-compliant.

 Daniel, what's the status of the labeling in Rawhide?  Did you get it squared away?
Comment 6 Daniel Walsh 2008-01-24 14:18:35 EST
Should be fixed in rawhide now.

Fixed in selinux-policy-3.2.3-18.fc9

Fedora 8 also has it.

Fixed in selinux-policy-3.0.8-82.fc8
Comment 7 Jima 2008-01-24 14:27:36 EST
Awesome, thanks Daniel.

I'm going to close this as RAWHIDE; due to the hacky nature of the
directory-change workaround, I'm rather hesitant to push it for F8/F7.
Comment 8 Peter Bieringer 2008-01-25 06:06:48 EST
Can you point me to selinux-policy-3.0.8-82.fc8, I did not found it.

BTW: I hope, write to the file is also allowed:

#============= dnsmasq_t ==============
allow dnsmasq_t system_crond_var_lib_t:file write;
Comment 9 Daniel Walsh 2008-01-25 10:04:49 EST
Sorry should have said 81.  82 is not released yet.  81 should be in fedora
testing.  It is allowed to write to /var/lib/dnsmasq  which is labeled
dnsmasq_leases_t (I believe).
Comment 10 Peter Bieringer 2008-01-26 05:51:25 EST
Hm, something wrong with fedora updates testing, is it not up-to-date?

# date
Sa 26. Jan 11:47:23 CET 2008
# yum list --enablerepo updates-testing selinux-policy*
Loading "fastestmirror" plugin
Loading "security" plugin
Loading "presto" plugin
Loading mirror speeds from cached hostfile
 * updates-testing: download.fedora.redhat.com
 * updates: ftp.crc.dk
 * adobe-linux-i386: linuxdownload.adobe.com
 * fedora: ftp.crc.dk
Setting up and reading Presto delta metadata
updates-testing           100% |=========================| 2.3 kB    00:00     
No Presto metadata available for updates-testing
No Presto metadata available for updates
No Presto metadata available for adobe-linux-i386
No Presto metadata available for fedora
Installed Packages
selinux-policy.noarch                    3.0.8-76.fc8           installed       
selinux-policy-targeted.noarch           3.0.8-76.fc8           installed       
Available Packages
selinux-policy-devel.noarch              3.0.8-76.fc8           updates         
selinux-policy-mls.noarch                3.0.8-76.fc8           updates         
Comment 11 Mauricio Teixeira 2008-01-30 16:31:48 EST
Problem persists in F8, even though change log says otherwise...

# rpm -qa selinux*

avc: denied { search } for comm=dnsmasq dev=sda6 egid=0 euid=0
exe=/usr/sbin/dnsmasq exit=4 fsgid=0 fsuid=0 gid=0 items=0 name=misc pid=17794
scontext=unconfined_u:system_r:dnsmasq_t:s0 sgid=0
subj=unconfined_u:system_r:dnsmasq_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:system_crond_var_lib_t:s0 tty=pts1 uid=0

Different issue maybe?
Comment 12 Jima 2008-01-30 21:14:35 EST
Are you using /var/lib/misc or /var/lib/dnsmasq?  I haven't pushed the fix to
use the latter into F8, due to the hacky nature of the migration script.
Comment 13 Mauricio Teixeira 2008-02-05 11:46:18 EST

This is the default in the config file. I have never changed it.
Comment 14 Jima 2008-02-05 12:01:36 EST
Your best bet is probably to:

# mkdir /var/lib/dnsmasq
# mv /var/lib/misc/dnsmasq.leases /var/lib/dnsmasq/
# echo "dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases" >> /etc/dnsmasq.conf
(since what you quoted is commented out anyway)
# service dnsmasq restart

After that, SELinux shouldn't complain.

This will be the default behavior in F9.
Comment 15 Daniel Walsh 2008-02-05 15:02:36 EST
You also need a 

restorecon -R -v /var/lib/dnsmasq/
Comment 16 Adam Pribyl 2008-02-23 10:20:22 EST
This is a strange fix for F8 users... :( Dnsmasq just does not work after
install, you have to make it manualy.
Comment 17 Jima 2008-05-29 18:37:12 EDT
*** Bug 449032 has been marked as a duplicate of this bug. ***
Comment 18 Patrick Laughton 2009-05-29 09:04:44 EDT
*** Bug 468279 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.